Skip to main content

Concepts

Our Managed Kubernetes Offerings

Cloud Temple offers two distinct solutions to meet your container orchestration needs:

  • Managed Core Kubernetes : A minimalist product that provides you with a robust and secure Kubernetes foundation, built on cutting-edge open-source components. It is ideal for expert teams looking to build their own custom platform.
  • Managed Kubernetes : A comprehensive, out-of-the-box solution that includes a full stack of tools for networking, security, storage, continuous deployment, observability, backup, and cost management.

Offer Comparison Table

ComponentManaged Core KubernetesManaged Kubernetes
OSTalosTalos
CNICiliumCilium
CNI ObservabilityHubble
Load BalancerMetalLBMetalLB
IngressNginx Ingress
StorageRook-CephRook-Ceph
Continuous Deployment (GitOps)ArgoCD
ObservabilityPrometheus, Grafana, Loki
Backup and MigrationVeeam Kasten
Cost Management (FinOps)OpenCost
Governance and SecurityKyverno, Capsule
Container RegistryHarbor
Certificate ManagementCert-Manager
SSO AuthenticationOIDC Integration

Managed Kubernetes Product Overview (Complete)

The Managed Kubernetes offering (also referred to as "Managed Kub" or "MK") is a Cloud-Temple-managed Kubernetes containerization solution deployed as Virtual Machines running on Cloud-Temple OpenIaaS IaaS infrastructure.

Managed Kubernetes is built on Talos Linux (https://www.talos.dev/), a lightweight and secure operating system dedicated to Kubernetes. It is immutable, has no shell or SSH access, and is configured exclusively in a declarative manner via the gRPC API.

The standardized installation includes a set of components, mostly Open Source and CNCF-certified:

  • CNI Cilium, with observability interface (Hubble): Cilium is a networking solution for Kubernetes containers (Container Network Interface). It handles security, load balancing, service mesh, observability, encryption, etc. It is a fundamental networking component found in most Kubernetes distributions (OpenShift, AKS, GKE, EKS, etc.). We have included the Hubble GUI for visualizing Cilium traffic flows.

  • MetalLB and nginx: For exposing web applications, 3 nginx ingress-classes are integrated by default:

    • nginx-external-secured: exposure on a public IP, filtered at the firewall level to allow only known IPs (used for the GUIs of various products and the Kubernetes API)

    • nginx-external: exposure on a second unfiltered public IP (or client-specific filtering)

    • nginx-internal: exposure on an internal IP only

      For "non-web" services, a MetalLB load balancer allows exposing services internally or on public IPs. (This enables deploying other ingress controllers, such as a WAF)

  • Distributed Rook-Ceph Storage: For persistent volume (PV) storage, an Open Source distributed Ceph storage system is integrated into the platform. It supports the ceph-block, ceph-bucket, and ceph-filesystem storage-classes. Storage with 7500 IOPS is used, enabling high performance. In production deployments (across 3 AZs), storage nodes are dedicated (1 node per AZ); in non-production deployments (1 AZ), storage is shared with worker nodes.

  • Cert-Manager: The Open Source certificate manager Cert-Manager is natively integrated into the platform.

  • ArgoCD is available for your automated deployments via a CI/CD pipeline.

  • Prometheus Stack (Prometheus, Grafana, Loki): Managed Kubernetes clusters come standard with a complete Open Source Prometheus stack for observability, including:

    • Prometheus

    • Grafana, with numerous dashboards

    • Loki: Platform logs are exported to Cloud-Temple S3 storage (and integrated into Grafana).

  • Harbor is a Container registry that allows you to store your container images or Helm charts directly within the cluster. It performs vulnerability scanning on your images and can digitally sign them. Harbor also supports synchronization with other registries. (https://goharbor.io/)

  • OpenCost (https://github.com/opencost/opencost) is a cost management (FinOps) tool for Kubernetes. It allows you to closely track Kubernetes resource consumption and perform cost allocation/showback by project/namespace.

  • Advanced security policies with Kyverno and Capsule:

    • Kyverno (https://kyverno.io/) is an admission controller for Kubernetes that enables policy enforcement. It is an essential tool for governance and security in Kubernetes.
    • Capsule (https://projectcapsule.dev/) is a permission management tool that simplifies rights management in Kubernetes. It introduces the concept of a tenant, allowing centralized and delegated permissions across multiple namespaces. Through Capsule, users of the Managed Kubernetes platform are granted permissions restricted to their own namespaces only.
  • Veeam Kasten (aka 'k10') is a solution for backing up Kubernetes workloads.

    It enables backing up complete deployments: manifests, volumes, etc., to Cloud-Temple S3 object storage. Kasten uses Kanister to enable application-consistent backups, for example for databases (https://docs.kasten.io/latest/usage/blueprints/).

    Kasten is a cross-platform tool that can work with other Kubernetes clusters (OpenShift, Hyperscalers, etc.). It can therefore be used for reversibility or migration scenarios (K10 handles potential adaptations via transformations, such as changing an ingress-class), as well as for "refresh" operations (e.g., scheduled restoration of a production environment to pre-production).

  • SSO Authentication with an External OIDC Identity Provider (Microsoft Entra, FranceConnect, Okta, AWS IAM, Google, Salesforce, ...)

SLA & Support Information

  • Guaranteed availability (production 3 AZ) : 99.95 %
  • Support : N1/N2/N3 included for the core scope (infrastructure and standard operators).
  • Recovery Time Commitment (ETR) : per Cloud Temple framework agreement.
  • Maintenance (MCO) : regular patching of Talos / Kubernetes / standard operators by MSP, with no service interruption (rolling upgrade).

Response and recovery times depend on the incident severity, in accordance with the support matrix (P1 to P4).

Versioning Policy & Lifecycle

  • Supported Kubernetes: N-2 (3 major releases per year, approximately every 4 months). Each release is officially supported for 12 months, ensuring a Cloud Temple support window of ~16 months maximum per version.
  • Talos OS: aligned with stable Kubernetes versions.
    • Each branch is maintained for approximately 12 months (security patches included).
    • Recommended upgrade cadence: 3 times per year, in alignment with Kubernetes upgrades.
    • Critical patches (CVE, kernel) are applied via rolling upgrade, with no service interruption.
  • Standard operators: updated within 90 days following the stable release.
  • Updates:
    • Major (Kubernetes N+1, Talos X+1): scheduled 3 times/year, via rolling update.
    • Minor: applied automatically within 30 to 60 days.
  • Deprecation: version N-3 → end of support within 90 days after the release of N.

Kubernetes Nodes

Production (multi-zone)

For a "production" deployment (multi-zone), the following machines are used:

AZMachinevCoresRAMLocal Storage
AZ07Git Runner48 GBOS: 256 GB
AZ05Control Plane 1812 GBOS: 128 GB
AZ06Control Plane 2812 GBOS: 128 GB
AZ07Control Plane 3812 GBOS: 128 GB
AZ05Storage Node 11224 GBOS: 128 GB + Ceph 500 GB minimum (*)
AZ06Storage Node 21224 GBOS: 128 GB + Ceph 500 GB minimum (*)
AZ07Storage Node 31224 GBOS: 128 GB + Ceph 500 GB minimum (*)
AZ05Worker Node 1 (**)1224 GBOS: 128 GB
AZ06Worker Node 2 (**)1224 GBOS: 128 GB
AZ07Worker Node 3 (**)1224 GBOS: 128 GB

(*) : Each storage node comes with a minimum of 500 GB of disk space, providing 500 GB of usable distributed Ceph storage (data is replicated across each AZ, hence x3). The free space available to the client is approximately 350 GB. This initial size can be increased during initial provisioning, or later, depending on requirements. Quotas are applied on Ceph, with a Block/File allocation.

(**) : The size and number of Worker Nodes can be adjusted based on the client's compute capacity requirements. The minimum number of Worker Nodes is 3 (1 per AZ), and we recommend increasing their number in batches of 3 to maintain a consistent multi-zone distribution. The size of Worker Nodes can be adjusted, with a minimum of 12 cores and 24 GB of RAM; the upper limit per Worker Node is determined by the size of the hypervisors used (thus potentially 112 cores/1536 GB of RAM with Performance 3 blades). The number of Worker Nodes is limited to 100. The CNCF recommends having Worker Nodes of identical size. The limit on the number of pods per Worker Node is 110.

Dev/Test

For a "dev/test" version, the following machines are deployed:

AZMachinevCoresRAMLocal Storage
AZ0nGit Runner48 GBOS: 30 GB
AZ0nControl Plane812 GBOS: 128 GB
AZ0nWorker Node 1 (**)1224 GBOS: 128 GB + Ceph 300 GB minimum (*)
AZ0nWorker Node 2 (**)1224 GBOS: 128 GB + Ceph 300 GB minimum (*)
AZ0nWorker Node 3 (**)1224 GBOS: 128 GB + Ceph 300 GB minimum (*)

(*) : 3 Worker nodes are used as Storage nodes and are provisioned with a minimum of 300 GB of disk space, providing 300 GB of usable distributed storage (data is replicated three times). The free space available to the client is approximately 150 GB. This initial size can be increased at deployment time, or later, depending on requirements.

(**) : The size and number of Worker Nodes can be adjusted based on the client's compute capacity requirements. The minimum number of Worker nodes is 3 (due to storage replication). The size of Worker Nodes can be adjusted, with a minimum of 12 cores and 24 GB of RAM; the upper limit per Worker node is determined by the size of the hypervisors used (thus potentially 112 cores/1536 GB of RAM with Performance 3 blades). The number of Worker Nodes is limited to 250. The CNCF recommends using worker nodes of identical size. The limit on the number of pods per Worker Node is 110.

RACI

Architecture & Infrastructure

ActivityClientCloud Temple
Define the overall architecture of the Kubernetes serviceCRA
Size the Kubernetes service (number of nodes, resources)CRA
Install the Kubernetes service with a default configurationIRA
Configure the Kubernetes serviceCRA
Configure the base network of the Kubernetes serviceIRA
Deploy the initial identity and access configurationCRA
Define the scaling and high availability strategyCRA

Project and Business Application Management

ActivityClientCloud Temple
Create and manage Kubernetes projectsRAI*
Deploy and manage applications in KubernetesRAI*
Configure CI/CD pipelinesRAI*
Manage container images and registriesRAI*

*may change to "C" depending on the managed services contract

Monitoring and Performance

ActivityClientCloud Temple
Monitor Kubernetes service performanceIRA*
Monitor application performanceRA
Manage Kubernetes service-related alertsIRA*
Manage application-related alertsRA

(*) : Production Cluster only. In Dev/Test, the client is fully autonomous and responsible.

Infrastructure Maintenance and Updates

ActivityClientCloud Temple
Update Kubernetes/OS serviceCRA
Apply security patches to KubernetesCRA
Update deployed applications (operators*)CRA

*Operator package included on Managed Kube - see chapters: Managed Helm Packages

Security

ActivityClientCloud Temple
Manage Kubernetes service securityRARA*
Configure and manage pod security policiesRAI
Manage SSL/TLS certificates for the Kubernetes serviceCRA*
Manage SSL/TLS certificates for applicationsRAI
Implement and manage base role-based access control (RBAC)CR*
Implement and manage client role-based access control (RBAC)RAI

(*) : Production cluster only. In Dev/Test, the client is fully autonomous and responsible.

Backup and Disaster Recovery

ActivityClientCloud Temple
Define the backup strategy for the Kubernetes serviceIRA
Implement and manage backups for the Kubernetes serviceIRA
Define the backup strategy for applicationsRA*I*
Implement and manage backups for applicationsRA*I*
Test disaster recovery procedures for the Kubernetes serviceCIRA
Test disaster recovery procedures for applicationsRA*CI*

*may change to "CI | RA" depending on the managed services contract

Support and Troubleshooting

ActivityClientCloud Temple
Provide level 1 support for the infrastructureIRA
Provide level 2 and 3 support for the infrastructureIRA
Resolve issues related to the Kubernetes serviceCRA
Resolve issues related to applicationsRAI

Capacity Management and Evolution

Production Cluster only. In Dev/Test, the client is fully autonomous and responsible.

ActivityClientCloud Temple
Monitor Kubernetes resource utilizationCRA
Plan service capacity evolutionRAC
Implement capacity changesIRA
Manage application evolution and associated resourcesRAI

Documentation and Compliance

ActivityClientCloud Temple
Maintain Kubernetes product documentationIRA
Maintain application documentationRAI
Ensure Kubernetes service complianceIRA
Ensure application complianceRAI
Conduct Kubernetes service auditsIRA
Conduct application auditsRAI

Kubernetes Operators/CRD Management (included in the product)

ActivityClientCloud Temple
Provisioning of the default Operators catalogCIRA
Updating OperatorsCIRA
Monitoring Operators statusCIRA
Troubleshooting Operators issuesCIRA
Managing Operators permissionsCIRA
Managing Operators resources (addition/removal)CIRA
Backing up Operators resources dataCIRA
Monitoring Operators resourcesCIRA
Restoring Operators resources dataCIRA
Security auditing of OperatorsCIRA
Operators supportCIRA
Managing licenses for OperatorsCIRA
Managing specific support plans for OperatorsCIRA

*Operator package included on Managed Kube - see chapters: Managed Helm Packages

Management of Kubernetes applications/operators/CRDs (client-side)

Production Cluster only. In Dev/Test, the client is fully autonomous and responsible.

ActivityClientCloud Temple
CRD DeploymentI*RA*
Operator UpdatesRAI
Operator Status MonitoringRAI
Operator Issue ResolutionRAI
Operator Permissions ManagementRAI
Operator Resources Management (addition/removal)RAI
Operator Resources Data BackupRAI
Operator Resources MonitoringRAI
Operator Resources Data RestorationRAI
Operator Security AuditingRAI
Operator SupportRAI
Operator Licensing ManagementRAI
Specific Support Plans Management for OperatorsRAI

Certain operator services may be covered depending on the managed services contract.

*may change to "A | RC" depending on the managed services contract

Application Support

ActivityClientCloud Temple
Application support (external service)RAI

Application support can be provided via a complementary service.

RACI (summary)

  • Cloud Temple : Responsible and Accountable (RA) for the Kubernetes platform, cluster security, infrastructure backup, monitoring, CRD.
  • Client : Responsible and Accountable (RA) for application projects, business operators, CI/CD pipelines, application backups.
  • "Gray" area : adaptations and extensions (IAM, specific operators, cluster compliance/security hardening) - billed on a project basis.